Difference between revisions of "ESAPI Encryption"

Revision as of 19:55, 11 December 2008

TODO

Potentially rename Seal and Unseal to better describe what they do
seal() should include an HMAC or integrity check to ensure that the encrypted data has not been tampered with (see CWE-649).

The API should include support for key rotation; indicated key used for encryption of data

The API should allow key management to be externalized, to allow developers to integrate their own key management strategies (such as a PKI).

The documentation for each method should indicate whether it is designed to protect integrity, confidentiality, or both; and whether it is suitable for encrypting transient items (such as hidden form fields) or is designed for long-term storage.

@@ Line 1: / Line 1: @@
 == Feature Overview ==
-The Encryptor API is designed to provide a simplified API for common operations developers may want to use in web applications.  It is not designed to be a general-purpose crypto API, but only to provide safe implementations of common functionality.
+TODO
 == Possible Enhancements ==
+* Potentially rename Seal and Unseal to better describe what they do
+* seal() should include an HMAC or integrity check to ensure that the encrypted data has not been tampered with (see [http://cwe.mitre.org/data/definitions/649.html CWE-649]).
-* seal() should include an HMAC or integrity check to ensure that the encrypted data has not been tampered with.
+* The API should include support for key rotation; indicated key used for encryption of data
-* The API should include support for key rotation
 * The API should allow key management to be externalized, to allow developers to integrate their own key management strategies (such as a PKI).
 * The documentation for each method should indicate whether it is designed to protect integrity, confidentiality, or both; and whether it is suitable for encrypting transient items (such as hidden form fields) or is designed for long-term storage.